All organizations are need to keep their apps and devices secure. These apps/ devices must be compliant with the security baselines defined by the organization. A security configuration checklist (lockdown or hardening guide or benchmark) is form a series of instructions for configuring a product to a particular security baseline. IT security checklists are helpful to small organizations and individuals that have limited resources for securing their systems.
Having a security baseline is very important because the security settings required by an organization are so varied that many of them may be neglected. For example, there are over 4,800 Group Policy settings for Windows 10 and Internet Explorer 11. So, these days, almost all major companies in the field of information technology and network security have introduced their security baseline. A network administrator is a wise person if he uses these Security baselines/ checklists.
In this blog, we have collected and combined some of these security baselines (provided by various organizations) for you to use.
Password settings should be divided into several categories. Each category has its own standards. These categories are:
- Password standards for standard accounts
- Password standards for administrative/Privilege accounts
- Password standards for service accounts: These accounts are those used for automation, monitoring, and other non-interactive tasks not performed by an individual.
- Initial Account Provisioning
- Password Protection
Password standards for standard accounts
- Passwords must be encrypted and/or hashed while in transit to the authenticating system.
- Passwords should not be too short. Passwords should contain at least 12 characters.
- Passwords must be complex. According to the following definitions and rules. The password must contain characters from three of the following four categories:
- Upper Case: A B C …
- Lower Case: a b c …
- Numbers: 1 2 3 ..
- Symbols: + – _ = . @ ? ! . . .
- Passwords should not be displayed in plain text.
Password standards for administrative/privileged accounts
In addition to the requirements for standard accounts:
- Passwords may not be re-used for a period of 12 months.
- Passwords should be at least 15 characters long and they should be complex.
- Accounts must use Multi-Factor Authentication (MFA) where possible.
Password standards for service accounts
In addition to the requirements for standard accounts:
- Passwords must be at least 16 characters.
- User IDs and passwords shall never be used through an interactive logon mechanism except for testing/setup purposes.
- Service accounts must have a responsible point of contact or sponsor.
- Service accounts must be reviewed annually to ensure they are properly used, secured, and necessary.
Initial Account Provisioning
Newly provisioned user accounts must have a secure password set by the account holder.
But if an initial account password is set before account handoff to the account holder:
- Account holders must have the ability to either activate an account and set a password before use or require users to set a password during initial access to a system.
- All vendor-supplied passwords, including service accounts, must be changed as soon as possible after system/application deployment and before becoming operational.
- Individuals should be confirmed as the intended recipient by contact via an authorized work phone number, verification of personal data, photo ID, or similar means.
- If an automated process is not available, initial or reset passwords may be communicated via:
- Mail (sealed envelope)
- Encrypted file transfer (e.g., Filelocker or similar)
- Verbal conversation, either a phone call to authorized work telephone number or in-person communication
Security Baselines for Virtual Machine (VM) or Physical Server
- Assigning an IP address and register a DNS record
- Servers must be in a dedicated IP address subnet or a VLAN.
- Each server must has a local administrator account.
- Standalone server is not a good idea. All servers must join to domain active directory.
- Setup remote access only if necessary.
- Ensure system time and date are accurate, and setup timekeeping synchronization.
- Configure log collection.
- Configure automatic periodic backups.
- Configure monitoring of the host, and if applicable, essential services.
- Perform testing of the services and/or application.
- Document any necessary configuration parameters, application guidelines, or user support instructions.
- Communicate the launch of the service or application to appropriate entities.
- Perform BIOS configuration and upgrade (on physical server)
- Setup RAID (if applicable)
- Putting up each new server in a DMZ network that is not open to the internet.
- Setup out-of-band management (i.e. HP iLO or Dell DRAC)
- Perform firmware and driver upgrades
- Setting a BIOS/firmware password to prevent unauthorized changes.
- Configure boot menu/order
- All Firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default.
- Firewalls must be installed within production environments where “Confidential Information” is captured, processed or stored, to help achieve functional separation between web-servers, application servers and database servers.
- Firewall Rulesets and Configurations require annual periodic review to ensure they afford the desired levels of protection.
- Firewall Rulesets and Configurations must be backed up frequently to alternate storage (not on the same device).
- Any organization operating under an e-merchant license is required to have properly configured Firewalls in place to protect credit card data and comply with Payment Card Industry/Data Security Standards (PCI/DSS).
- Network Firewall administration logs (showing administrative activities) and event logs (showing traffic activity) are to be written to alternate storage and reviewed regularly.
- Configuring and applying automatic updates (via GPO or WSUS).
- Confirming that security updates are installed on a regular basis.
- If required, installing anti-malware. (It’s must be up-to-date always)
- Protecting newly installed machines from hostile network traffic.
- Vulnerability scans must be scheduled to run and be reviewed at least monthly
- Installing anti-spyware software.
- Removing or disabling any services which are not necessary for the server/application to function properly.
- Do not allow any shares to be accessed anonymously.
- Removing or disabling any user accounts which are not necessary for the server/application to function properly.
- Servers must be configured to emit logs to a dedicated log collection server
- Configuring the device boot order on all computers.
- Enable automatic notification of patch availability.
- Disabling NetBIOS over TCP/IP.
- Blocking access to unnecessary ports/services.
- Records each change in each of servers.
- Thoroughly test and validate every proposed change to server hardware or software.
Infrastructure Device Access Security Baselines
- Reviewing all available terminal and management ports and services.
- Disabling all terminal and management ports that are not explicitly required.
- Using only secure access protocols such as SSH and HTTPS for remote access to these devices.
- Don’t use telnet never.
- Only accept access attempts to authorized ports and services from authorized originators.
- Authenticate all terminal and management access using centralized (or local) AAA.
- Authorize all interactive and privileged EXEC level device management access using centralized (or local) AAA.
- Enforce an active session timeout.
- Detect and close hung sessions.
- Enforce a strong password policy (may be done on the AAA server)
- Restrict the frequency of login attempts.
- Restrict the maximum number of concurrent sessions
- Employ strong secrets for authentication between the AAA server and NAS
- Disable HTTP/HTTPS access if not required
- Only permit web access from authorized originators
- Enforce an idle timeout to detect and close inactive sessions
- Restrict the permitted rate of login attempts
- Disable SNMP access if not required
- Only use SNMP v3 where possible
- Delete default community strings
- Define strong, non-trivial community strings where SNMP required
- Enable only operationally important traps
- Enforce strong encryption of locally stored information
- Configure NTP across all devices
- Log all successful interactive device management access using centralized AAA or an alternative, e.g. syslog
- Log all failed interactive device management access using centralized AAA or an alternative, e.g. syslog
- Log all failed privileged EXEC level device management access using centralized AAA or an alternative, e.g. syslog
- Send an SNMP trap on community name authentication failures to track failed access attempts
- Send an SNMP trap for configuration changes and environmental monitor threshold exceptions
- Log all system-level events, e.g. reboot, accounting on/off, using centralized AAA or an alternative
Microsoft Windows Server Hardening
- Regularly perform a risk assessment.
- Disabling automatic administrative logon to the recovery console.
- Configuring account lockout Group Policy according.
- Disallow users from creating and logging in with Microsoft accounts.
- Disabling the guest account in windows computers.
- Install the latest service packs and hotfixes from Microsoft.
- Restrict the ability to access to servers from the network to Administrators and Authenticated Users.
- Configure Microsoft Network Server to always digitally sign communications.
- Do not allow “everyone” permissions to apply to anonymous users.
- Do not allow anonymous enumeration of SAM accounts and shares.
- Disabling anonymous SID/Name translation.
- Disabling or deleting unused user accounts.
- Enabling the Windows firewall in all profiles (domain, private, public).
- Restricting the ability to access each computer from the network to Authenticated Users only.
- Denying guest accounts the ability to log on as a service, a batch job, locally or via RDP.
- If RDP is utilized, set the RDP connection encryption level to high.
- Remove Enable LMhosts lookup.
- Removing ncacn_ip_tcp.
- Disabling the sending of unencrypted passwords to third-party SMB servers.
- Allow Local System to use computer identity for NTLM.
- Configuring allowable encryption types for Kerberos.
- Removing file and print sharing from network settings.
- Configuring registry permissions.
- Protecting the registry from anonymous access.
- Setting MaxCachedSockets (REG_DWORD) to 0.
- Setting SmbDeviceEnabled (REG_DWORD) to 0.
- Setting AutoShareServer to 0.
- Setting AutoShareWks to 0.
- Deleting all value data INSIDE the NullSessionPipes key.
- Deleting all value data INSIDE the NullSessionShares key.
- Removing unneeded Windows components.
- Enabling the built-in Encrypting File System (EFS) with NTFS or BitLocker on Windows Server.
- If the workstation has significant random access memory (RAM), disable the Windows swapfile.
- Do not use AUTORUN.
- Require Ctrl+Alt+Del for interactive logins.
- Ensuring all volumes are using the NTFS file system.
- Configuring Local File/folder permissions.
- Removing Guest, Everyone and ANONYMOUS LOGON from the user rights lists.
- Setting the system date/time and configure it to synchronize against domain time servers.
- Enable Audit policy.
- Configure log shipping to SIEM for monitoring.
- Make an image of each Windows Server installation and hardening.
- Enter the server into the domain and apply your domain group policies.
Security Baselines for Windows Workstations
- Block executable content from email client and webmail
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block execution of potentially obfuscated scripts
- Block Win 32 API calls from Office macros
- Picture password policy sign on disabled
- PIN sign on disabled
- Only one previous logon stored in cache where DC isn’t available
- Passwords for network authentication are not stored
- Biometric or two-factor authentication used
- Authentication allowed only during authorized hours
- Device recently inspected for keyloggers
- IPSec implemented on local networks
- Configure Microsoft Edge
- Disable Flash
- Disable Developer Tools
- Enable Pop Up Blocker
- Prevent users and apps from accessing dangerous websites
Wireless Security Baselines
- Document and maintain Serial numbers, name and location of AP, controllers and any other important wireless devices.
- Limit physical access to the network room or wiring closet
- Secure access points with a Security brackets or locks
- Change all the default passwords for the Access Points and Wireless Appliances
- Disable SSH/Telnet access to all access points
- Setup RADIUS authentication to the Wireless Appliance GUI or CLI
- RADIUS authenticate the port on a switch where the Access Point is connected
- Enable SNMPV3 access only on the Wireless Appliance
- Install Access Points on their own network segments
- Use Policy Roles for internal users and Guest Registration to limit guest user network access to only required resources
- Employee users should authenticate via 802.1x TLS
- Use WPA2-AES security encryption
- Not use WEP, WPA-TKIP (auto)